Skip to content

Commit

Permalink
MalwareBazaar no file name bug (#23937)
Browse files Browse the repository at this point in the history 
* fix bug

* RN and metadata were updated

* docker image was updated

* RN was edited

* unit test was added
  • Loading branch information
@rshunim @YuvHayun
rshunim authored and YuvHayun committed Jan 23, 2023
1 parent 7ee5740 commit 88a32ad
Show file tree
Hide file tree
Showing 6 changed files with 334 additions and 2 deletions.
2 changes: 2 additions & 0 deletions Packs/MalwareBazaar/Integrations/MalwareBazaar/MalwareBazaar.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,8 @@ def file_command(client: Client, args: Dict[str, Any]) -> List[CommandResults]:
else:
check_query_status(raw_response)
response_data = raw_response.get('data')[0]
if file_name := response_data.get('file_name'):
response_data['file_name'] = '' if file_name == 'file' else file_name
command_results.append(file_process(hash, reliability, raw_response, response_data))
return command_results

Expand Down
2 changes: 1 addition & 1 deletion Packs/MalwareBazaar/Integrations/MalwareBazaar/MalwareBazaar.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,7 +491,7 @@ script:
- contextPath: MalwareBazaar.MalwarebazaarSamplesList.intelligence.mail
description: Indicates if this malware sample has been seen in global spam traffic.
type: String
dockerimage: demisto/python3:3.10.8.37753
dockerimage: demisto/python3:3.10.9.44472
feed: false
isfetch: false
longRunning: false
Expand Down
25 changes: 25 additions & 0 deletions Packs/MalwareBazaar/Integrations/MalwareBazaar/MalwareBazaar_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,31 @@ def test_file_command(requests_mock):
assert response[0].relationships is not None


def test_file_command_no_file_name(requests_mock):
"""
Given:
- Request file reputation, given hash array with file hash of a file without name
When:
- Running a file reputation command
Then:
- Make sure file reputation without file_name is returned (an empty string in outputs and removed from the
human-readable).
"""
mock_response = util_load_json('test_data/file_without_name.json')
requests_mock.post(BASE_URL, json=mock_response)

client = create_client()

args = {"file": ["620c496e18e3256af0712541f18f19ed0105b264ce9e1fe40698066480bd7397"]}
response = MalwareBazaar.file_command(client, args)

assert response[0].outputs.get('file_name') == ''
assert response[0].raw_response.get('file_name') is None


def test_does_not_raise_on_yara_rules_none():
"""
Given:
Expand Down
300 changes: 300 additions & 0 deletions Packs/MalwareBazaar/Integrations/MalwareBazaar/test_data/file_without_name.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,300 @@
{
"query_status": "ok",
"data": [
{
"sha256_hash": "620c496e18e3256af0712541f18f19ed0105b264ce9e1fe40698066480bd7397",
"sha3_384_hash": "",
"sha1_hash": "7fd4bd7006b845adfdccb24a409e772c8f5d359b",
"md5_hash": "11cc25cbcd820d5628d7620907c283b3",
"first_seen": "2023-01-18 11:55:15",
"last_seen": null,
"file_name": "",
"file_size": 7637578,
"file_type_mime": "application/x-dosexec",
"file_type": "exe",
"reporter": "andretavare5",
"origin_country": null,
"anonymous": 0,
"signature": null,
"imphash": "3786a4cf8bfee8b4821db03449141df4",
"tlsh": "",
"telfhash": null,
"gimphash": null,
"ssdeep": "",
"dhash_icon": "848c5454baf47474",
"comment": "",
"archive_pw": null,
"tags": [
"exe"
],
"code_sign": null,
"delivery_method": "web_drive-by",
"intelligence": {
"clamav": [
""
],
"downloads": "225",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "dropped_by_malware",
"value": "PrivateLoader"
},
{
"context": "cape",
"value": ""
}
],
"ole_information": [],
"yara_rules": null,
"vendor_intel": {
"ANY.RUN": [
{
"malware_family": null,
"verdict": "Malicious activity",
"file_name": "file",
"date": "2023-01-18 12:00:39",
"analysis_url": "",
"tags": []
}
],
"CERT-PL_MWDB": {
"detection": null,
"link": ""
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "0.73"
},
"vxCube": {
"verdict": "malware2",
"maliciousness": "100",
"behaviour": [
{
"threat_level": "malicious",
"rule": "Adding exclusions to Windows Defender"
},
{
"threat_level": "malicious",
"rule": "Enabling autorun by creating a file"
},
{
"threat_level": "suspicious",
"rule": "Blocking the Windows Defender launch"
},
{
"threat_level": "neutral",
"rule": "Searching for the window"
},
{
"threat_level": "neutral",
"rule": "Creating a file in the %temp% subdirectories"
},
{
"threat_level": "neutral",
"rule": "Creating a process from a recently created file"
},
{
"threat_level": "neutral",
"rule": "Using the Windows Management Instrumentation requests"
},
{
"threat_level": "neutral",
"rule": "\\u0421reating synchronization primitives"
},
{
"threat_level": "neutral",
"rule": "Launching a process"
},
{
"threat_level": "neutral",
"rule": "Modifying a system file"
},
{
"threat_level": "neutral",
"rule": "Launching cmd.exe command interpreter"
},
{
"threat_level": "neutral",
"rule": "Sending a custom TCP request"
},
{
"threat_level": "neutral",
"rule": "Creating a process with a hidden window"
},
{
"threat_level": "neutral",
"rule": "Forced system process termination"
},
{
"threat_level": "neutral",
"rule": "Replacing files"
},
{
"threat_level": "neutral",
"rule": "Launching a service"
},
{
"threat_level": "neutral",
"rule": "Deleting a recently created file"
},
{
"threat_level": "neutral",
"rule": "Sending a UDP request"
}
]
},
"Intezer": {
"verdict": "suspicious",
"family_name": null,
"analysis_url": ""
},
"InQuest": {
"verdict": "MALICIOUS",
"url": null,
"details": [
{
"category": "info",
"title": "Windows PE Executable",
"description": "Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious."
}
]
},
"Triage": {
"malware_family": null,
"score": "10",
"link": "",
"tags": [
"discovery",
"evasion",
"spyware",
"stealer",
"trojan"
],
"signatures": [
{
"signature": "Modifies Windows Defender Real-time Protection settings",
"score": "10"
},
{
"signature": "Windows security bypass",
"score": "10"
},
{
"signature": "Blocklisted process makes network request",
"score": "8"
},
{
"signature": "Executes dropped EXE",
"score": "8"
},
{
"signature": "Checks BIOS information in registry",
"score": "7"
},
{
"signature": "Checks computer location settings",
"score": "7"
},
{
"signature": "Loads dropped DLL",
"score": "7"
},
{
"signature": "Reads user/profile data of web browsers",
"score": "7"
},
{
"signature": "Checks installed software on the system",
"score": "6"
},
{
"signature": "Drops Chrome extension",
"score": "6"
},
{
"signature": "Drops file in System32 directory",
"score": "5"
},
{
"signature": "Drops file in Program Files directory",
"score": "4"
},
{
"signature": "Drops file in Windows directory",
"score": "4"
},
{
"signature": "Enumerates physical storage devices",
"score": "3"
},
{
"signature": "Creates scheduled task(s)",
"score": null
},
{
"signature": "Enumerates system info in registry",
"score": null
},
{
"signature": "Modifies data under HKEY_USERS",
"score": null
},
{
"signature": "Suspicious behavior: EnumeratesProcesses",
"score": null
},
{
"signature": "Suspicious use of AdjustPrivilegeToken",
"score": null
},
{
"signature": "Suspicious use of WriteProcessMemory",
"score": null
}
],
"malware_config": []
},
"ReversingLabs": {
"threat_name": "Win32.Trojan.Jaik",
"status": "MALICIOUS",
"first_seen": "2023-01-18 11:56:11",
"scanner_count": "39",
"scanner_match": "11",
"scanner_percent": "28.21"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": ""
}
],
"UnpacMe": [
{
"sha256_hash": "348a9c042b2e9ef5dbd0de5cd34b5f50dd080ee671cadd026f1c9ce477000722",
"md5_hash": "79eb185b1cc44028e7f1e94c6adb386c",
"sha1_hash": "d21a7a63b64993d10a691ca10eb7fdac78fbf0a5",
"detections": [],
"link": ""
},
{
"sha256_hash": "620c496e18e3256af0712541f18f19ed0105b264ce9e1fe40698066480bd7397",
"md5_hash": "11cc25cbcd820d5628d7620907c283b3",
"sha1_hash": "7fd4bd7006b845adfdccb24a409e772c8f5d359b",
"detections": [],
"link": ""
}
],
"FileScan-IO": {
"verdict": "INFORMATIONAL",
"threatlevel": "0.2",
"confidence": "1",
"report_link": ""
}
},
"comments": null
}
]
}
5 changes: 5 additions & 0 deletions Packs/MalwareBazaar/ReleaseNotes/1_0_12.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

#### Integrations
##### MalwareBazaar
- Fixed an issue when there was no file name and the ***file*** command, returned 'file' as the file name.
- Updated the Docker image to: *demisto/python3:3.10.9.44472*.
2 changes: 1 addition & 1 deletion Packs/MalwareBazaar/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "MalwareBazaar",
"description": "MalwareBazaar offers an API to download malware samples, comment malware samples, and obtain intel based on file hash, tag, signature, file type, etc.",
"support": "xsoar",
"currentVersion": "1.0.11",
"currentVersion": "1.0.12",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit 88a32ad

Please sign in to comment.